Wireless Controller, Service Platform and Access Point

Creates a permit rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for forwarding. You can also use this command to modify an existing permit rule.

Note

Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType.

Supported in the following platforms:

Access Points — AP505i, AP510i/e, AP560i/h
Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|
any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-63>],type [8021q|<1-65535>|aarp|
appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) 
{(rule-description <LINE>)}

Parameters

permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC> <DEST-MAC-MASK>|
any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-63>],type [8021q|<1-65535>|aarp|
appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) 
{(rule-description <LINE>)}

<SOURCE-MAC> <SOURCE-MAC-MASK>	Configures the source MAC address and mask to match <SOURCE-MAC> – Specify the source MAC address to match. <SOURCE-MAC-MASK> – Specify the source MAC address mask. Packets addressed to the specified MAC addresses are forwarded.
any	Identifies all devices as the source to permit access. Packets received from any source are forwarded.
host <SOURCE-HOST-MAC>	Identifies a specific host as the source to permit access <SOURCE-HOST-MAC> – Specify the source host‘s exact MAC address to match. Packets received from the specified host are forwarded.
<DEST-MAC> <DEST-MAC-MASK>	Configures the destination MAC address and mask to match <DEST-MAC> – Specify the destination MAC address to match. <DEST-MAC-MASK> – Specify the destination MAC address mask to match. Packets addressed to the specified MAC addresses are forwarded.
any	Identifies all devices as the destination to permit access. Packets addressed to any destination are forwarded.
host <DEST-HOST-MAC>	Identifies a specific host as the destination to permit access <DEST-HOST-MAC> – Specify the destination host‘s exact MAC address to match. Packets addressed to the specified host are forwarded.
dotp1p <0-7>	Configures the 802.1p priority value. Sets the service classes for traffic handling <0-7> – Specify 802.1p priority from 0 - 7.
type [8021q\|<1-65535>\| aarp\|appletalk\| arp\|ip\|ipv6\|ipx\|mint\| rarp\|wisp]	Configures the EtherType value An EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are: 8021q – Indicates a 802.1q payload (0x8100) <1-65535> – Indicates the EtherType protocol number aarp – Indicates the Appletalk ARP payload (0x80F3) appletalk – Indicates the Appletalk Protocol payload (0x809B) arp – Indicates the ARP payload (0x0806) ip – Indicates the IPv4 payload (0x0800) ipv6 – Indicates the IPv6 payload (0x86DD) ipx – Indicates the Novell‘s IPX payload (0x8137) mint – Indicates the MiNT protocol payload (0x8783) rarp – Indicates the reverse ARP payload (0x8035) wisp – Indicates the WISP payload (0x8783)
vlan <1-4095>	Configures the VLAN ID <1-4095> – Specify the VLAN ID from 1 - 4095.
log	Logs all permit events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is addressed to a specified MAC address or is destined for a specified MAC address), an event is logged.
rule-precedence <1-5000> rule-description <LINE>	The following keywords are recursive and common to all of the above parameters: rule-precedence – Assigns a precedence for this permit rule <1-5000> – Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description – Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length).

Usage Guidelines

The permit command in the MAC ACL allows traffic based on layer 2 (data-link layer) information. A MAC access list permits traffic from a source MAC address or any MAC address. It also has an option to allow traffic from a list of MAC addresses (based on the source mask).

The MAC access list can be configured to allow traffic based on VLAN information, or Ethernet type. Common types include:

ARP
WISP
IP
802.1q

Layer 2 traffic is not allowed by default. To adopt an Access Point through an interface, configure an ACL to allow an Ethernet WISP.

Use the mark option to specify the ToS (type of service) and priority value. The tos value is marked in the IP header and the 802.1p priority value is marked in the dot1q frame.

Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is marked based on the ACL‘s configuration.

Note

To apply an IP based ACL to an interface, a MAC access list entry is mandatory to allow ARP. A MAC ACL always takes precedence over IP based ACLs.

Examples

nx9500-6C8809(config-mac-acl-test)#permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600

nx9500-6C8809(config-mac-acl-test)#permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610

nx9500-6C8809(config-mac-acl-test)#show context
mac access-list test
 permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600
 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610
nx9500-6C8809(config-mac-acl-test)#

Related Commands

no (mac-acl)

Removes or resets a specified MAC ACL permit rule

permit (mac-acl)